b'\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n                                               Independent Auditors\xe2\x80\x99 Report\n\nSecretary and Inspector General\nU.S. Department of Labor:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Labor (DOL) as of\nSeptember 30, 2008 and 2007; the related consolidated statements of net cost and changes in net position, and\ncombined statements of budgetary resources for the years then ended; and the statements of social insurance as of\nSeptember 30, 2008, 2007, and 2006 (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d). The objective of\nour audits was to express an opinion on the fair presentation of these consolidated financial statements. In connection\nwith our fiscal year 2008 audit, we also considered DOL\xe2\x80\x99s internal controls over financial reporting and tested\nDOL\xe2\x80\x99s compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could\nhave a direct and material effect on these consolidated financial statements.\n\nWe have also examined DOL\xe2\x80\x99s compliance with section 803a of the Federal Financial Management Improvement\nAct of 1996 (FFMIA) as of September 30, 2008.\nSUMMARY\nAs stated in our opinion on the consolidated financial statements, we concluded that the consolidated financial\nstatements present fairly, in all material respects, the financial position of DOL as of September 30, 2008 and 2007;\nits net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of\nits social insurance program as of September 30, 2008, 2007, and 2006, in conformity with U.S. generally accepted\naccounting principles.\n\nAs discussed in our opinion on the consolidated financial statements, the statements of social insurance present the\nactuarial present value of DOL\xe2\x80\x99s future expenditures to be paid to or on behalf of participants, estimated future\nincome to be received from excise taxes, and estimated expenditures for administrative costs and interest payments\nduring a projection period ending in 2040.\n\nAlso as discussed in our opinion on the consolidated financial statements, in fiscal year 2008, DOL changed the\nfinancial statement presentation of its custodial activities from a principal financial statement to a disclosure in the\naccompanying notes to the consolidated financial statements.\n\nOur consideration of internal control over financial reporting resulted in the following conditions being identified as\nsignificant deficiencies:\n\n    1. Lack of Adequate Controls over Access to Key Financial and Support Systems\n\n    2. Weakness Noted over Payroll Accounting\n\n    3. Lack of Segregation of Duties over Journal Entries\n\nHowever, none of the significant deficiencies are believed to be material weaknesses.\n\n                                       KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                       member firm of KPMG International, a Swiss cooperative.\n\n\n\n\n                                                                                                 FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0171\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements\ndisclosed one instance of Anti-Deficiency Act noncompliance that is required to be reported under Government\nAuditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget\n(OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.\n\nAs stated in our opinion on DOL\xe2\x80\x99s compliance with FFMIA, we concluded that DOL complied, in all material\nrespects, with the requirements of FFMIA as of September 30, 2008.\n\nThe following sections discuss our opinion on DOL\xe2\x80\x99s consolidated financial statements; our consideration of DOL\xe2\x80\x99s\ninternal controls over financial reporting; our tests of DOL\xe2\x80\x99s compliance with certain provisions of applicable laws,\nregulations, contracts, and grant agreements; and management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Labor as of September 30,\n2008 and 2007; the related consolidated statements of net cost and changes in net position, and the combined\nstatements of budgetary resources for the years then ended; and the statements of social insurance as of September\n30, 2008, 2007, and 2006. The accompanying statements of social insurance as of September 30, 2004 and 2005 were\nnot audited by us and, accordingly, we do not express an opinion on them.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the\nfinancial position of the U.S. Department of Labor as of September 30, 2008 and 2007; its net costs, changes in net\nposition, and budgetary resources for the years then ended; and the financial condition of its social insurance program\nas of September 30, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.\n\nAs discussed in Note 1-W to the consolidated financial statements, the statements of social insurance present the\nactuarial present value of DOL\xe2\x80\x99s future expenditures to be paid to or on behalf of participants, estimated future\nincome to be received from excise taxes, and estimated expenditures for administrative costs and interest payments\nduring a projection period ending in 2040. In preparing the statements of social insurance, management considers and\nselects assumptions and data that it believes provide a reasonable basis for the assertions in the statements. However,\nbecause of the large number of factors that affect the statement of social insurance and the fact that future events and\ncircumstances can not be known with certainty, there will be differences between the estimates in the statement of\nsocial insurance and the actual results, and those differences may be material.\n\nAlso as discussed in Note 1-B to the consolidated financial statements, in fiscal year 2008, DOL changed the\nfinancial statement presentation of its custodial activities from a principal financial statement to a disclosure in the\naccompanying notes to the consolidated financial statements. DOL revised its fiscal year 2007 consolidated financial\nstatements and notes to conform to this fiscal year 2008 presentation.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis, Required Supplementary Information, and Required\nSupplementary Stewardship Information sections is not a required part of the consolidated financial statements, but is\nsupplementary information required by U.S. generally accepted accounting principles. We have applied certain\nlimited procedures, which consisted principally of inquiries of management regarding the methods of measurement\nand presentation of this information. However, we did not audit this information and, accordingly, we express no\nopinion on it.\n\nThe information in the Secretary\xe2\x80\x99s Message, Performance Section, Other Accompanying Information and\nAppendices are presented for purposes of additional analysis and are not required as part of the consolidated financial\n\n\n\n172\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                            Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                        \xc2\xa0\n                                                                                                                        \xc2\xa0\n                                                                                                                        \xc2\xa0\n                                                                                                                        \xc2\xa0\n\n\n\n\nstatements. This information has not been subjected to auditing procedures and, accordingly, we express no opinion\non it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\nOur consideration of the internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and would not necessarily identify all deficiencies in the internal control over\nfinancial reporting that might be significant deficiencies or material weaknesses.\n\nA control deficiency exists when the design or operation of a control does not allow management or employees, in\nthe normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A\nsignificant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects DOL\xe2\x80\x99s\nability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally\naccepted accounting principles such that there is more than a remote likelihood that a misstatement of DOL\xe2\x80\x99s\nconsolidated financial statements that is more than inconsequential will not be prevented or detected by DOL\xe2\x80\x99s\ninternal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that\nresults in more than a remote likelihood that a material misstatement of the financial statements will not be prevented\nor detected by DOL\xe2\x80\x99s internal control.\n\nIn our fiscal year 2008 audit, we consider the deficiencies, described in Exhibit I, to be significant deficiencies in\ninternal control over financial reporting. However, we believe that none of the significant deficiencies presented in\nExhibit I are material weaknesses.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nCOMPLIANCE AND OTHER MATTERS\nThe results of certain of our tests of compliance as described in the Responsibilities section of this report, exclusive\nof those referred to in FFMIA, disclosed one instance of Anti-deficiency Act noncompliance that is required to be\nreported herein under Government Auditing Standards or OMB Bulletin No. 07-04, and is described in Exhibit II.\n\nThe results of our other tests of compliance as described in the Responsibilities section of this report, exclusive of\nthose referred to in FFMIA, disclosed no instances of noncompliance or other matters that are required to be reported\nherein under Government Auditing Standards or OMB Bulletin No. 07-04.\n\nOther Matters. DOL is currently reviewing two incidents regarding potential violations of the Anti-deficiency Act. As\nof the date of this report, no final noncompliance determination has been made.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nOPINION ON COMPLIANCE WITH FFMIA\n\nDOL represented that, in accordance with the provisions and requirements of FFMIA, the Secretary of Labor\ndetermined that the DOL\xe2\x80\x99s financial management systems are in substantial compliance with FFMIA.\n\nWe have examined the U.S. Department of Labor\xe2\x80\x99s compliance with section 803a of the Federal Financial\nManagement Improvement Act of 1996 as of September 30, 2008. Under section 803a of FFMIA, the U.S.\nDepartment of Labor\xe2\x80\x99s financial management systems are required to substantially comply with (1) Federal financial\nmanagement systems requirements, (2) applicable Federal accounting standards, and (3) the United States\n\n\n\n                                                                    FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0173\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\n\nGovernment Standard General Ledger at the transaction level. We used OMB\xe2\x80\x99s Revised Implementation Guidance\nfor the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.\n\nIn our opinion, the U.S. Department of Labor complied, in all material respects, with the aforementioned\nrequirements as of September 30, 2008.\n\nRESPONSIBILITIES\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements; establishing\nand maintaining effective internal control; and complying with laws, regulations, contracts, and grant agreements\napplicable to DOL.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the consolidated financial statements of\nDOL based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in Government Auditing Standards,\nissued by the Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards and OMB\nBulletin No. 07-04 require that we plan and perform the audits to obtain reasonable assurance about whether the\nconsolidated financial statements are free of material misstatement. An audit includes consideration of internal\ncontrol over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances,\nbut not for the purpose of expressing an opinion on the effectiveness of DOL\xe2\x80\x99s internal control over financial\nreporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2   Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial\n    statements;\n\xe2\x80\xa2   Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2   Evaluating the overall consolidated financial statement presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2008 audit, we considered DOL\xe2\x80\x99s internal control over financial reporting\nby obtaining an understanding of DOL\xe2\x80\x99s internal control, determining whether internal controls had been placed in\noperation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for\nthe purpose of expressing our opinion on the consolidated financial statements. We did not test all internal controls\nrelevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The\nobjective of our audit was not to express an opinion on the effectiveness of DOL\xe2\x80\x99s internal control over financial\nreporting. Accordingly, we do not express an opinion on the effectiveness of DOL\xe2\x80\x99s internal control over financial\nreporting.\n\nAs part of obtaining reasonable assurance about whether DOL\xe2\x80\x99s fiscal year 2008 consolidated financial statements\nare free of material misstatement, we performed tests of DOL\xe2\x80\x99s compliance with certain provisions of laws,\nregulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on\nthe determination of the consolidated financial statement amounts, and certain provisions of other laws and\nregulations specified in OMB Bulletin No. 07-04, including the provisions referred to in section 803(a) of FFMIA.\nWe limited our tests of compliance to the provisions described in the preceding sentence, and we did not test\ncompliance with all laws, regulations, contracts, and grant agreements applicable to DOL. However, providing an\nopinion on compliance with laws, regulations, contracts, and grant agreements was not an objective of our audit and,\naccordingly, we do not express such an opinion.\n\n\n174\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                         Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                     \xc2\xa0\n                                                                                                                     \xc2\xa0\n                                                                                                                     \xc2\xa0\n                                                                                                                     \xc2\xa0\n\n\n\n\nOur responsibility also included expressing an opinion on DOL\xe2\x80\x99s compliance with FFMIA section 803a requirements\nas of September 30, 2008, based on our examination. Our examination was conducted in accordance with attestation\nstandards established by the American Institute of Certified Public Accountants and the standards applicable to\nattestation engagements contained in Government Auditing Standards issued by the Comptroller General of the\nUnited States, and accordingly, included examining, on a test basis, evidence about DOL\xe2\x80\x99s compliance with the\nrequirements of FFMIA section 803a and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does\nnot provide a legal determination on DOL\xe2\x80\x99s compliance with specified requirements.\n\n                                      ______________________________\n\nDOL\xe2\x80\x99s response to the findings identified in our audit is presented in Exhibit I. We did not audit DOL\xe2\x80\x99s response\nand, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of DOL\xe2\x80\x99s management, DOL\xe2\x80\x99s Office of Inspector General,\nOMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\n\n\nNovember 14, 2008\n\n\n\n\n                                                                 FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0175\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n1. Lack of Adequate Controls over Access to Key Financial and Support Systems\n    In fiscal year (FY) 2007, we reported a significant deficiency related to the lack of adequate controls over access\n    to key financial and support systems.\n\n    The Office of the Inspector General (OIG) recommended that management:\n\n    \xe2\x80\xa2    Identify key financial information technology (IT) controls and incorporate them into the U.S. Department of\n         Labor\xe2\x80\x99s (DOL) internal control and Office of Management and Budget (OMB) Circular No. A-123 testing\n         process, to ensure that these controls are documented and operating effectively during the year.\n\n    \xe2\x80\xa2    Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address\n         access control weaknesses in current financial management systems.\n\n    During our FY 2008 audit, we noted that DOL identified and tested key IT controls as part of its OMB Circular\n    No. A-123 testing process. Specifically, we noted that the testing included following up on certain prior year IT\n    findings and testing the design and operating effectiveness of certain key current year controls. Certain parts of\n    the OMB Circular A-123 IT testing were performed concurrently with our IT testing and were not completed in\n    time for us to assess the adequacy of the process.\n\n    Additionally, we noted that 30 prior year findings related to access controls have not been corrected by\n    management (5 in the Office of the Chief Financial Officer (OCFO), 11 in the Employment and Training\n    Administration (ETA), 4 in the Office of the Assistant Secretary for Administration and Management (OASAM),\n    and 10 in the Employment Standards Administration (ESA)). In addition, in FY 2008, we identified access\n    control weaknesses that resulted in 14 new findings (2 in the OCFO, 2 in ETA, 1 in OASAM, and 9 in ESA).\n    The specific nature of these weaknesses, their causes, and the systems impacted has been communicated\n    separately to management.\n\n    In summary, we noted issues with account management, configuration management, and review of system audit\n    logs in our FY 2008 testing of DOL\xe2\x80\x99s IT systems, that present more than a remote likelihood that a misstatement\n    of DOL\xe2\x80\x99s financial statements that is more than inconsequential will not be prevented or detected. As such, we\n    believe that these new weaknesses and the uncorrected prior year control weaknesses represent a significant\n    deficiency over access to key financial and support systems. Specifically, the following control weaknesses were\n    present in multiple financial systems across various DOL agencies.\n\n    \xe2\x80\xa2 Account Management:\n\n         \xe2\x80\xa2    Account management controls such as user access request, modification, and termination procedures\n              were not documented;\n         \xe2\x80\xa2    Account management controls were not performed, such as incomplete or missing access request,\n              modification, and termination forms;\n         \xe2\x80\xa2    Periodic user account reviews or re-certifications were not performed;\n         \xe2\x80\xa2    Generic accounts existed on systems;\n         \xe2\x80\xa2    Access authorization, recertification, and periodic reviews of data center access were not consistent with\n              policies;\n         \xe2\x80\xa2    Certain terminated personnel had active system accounts, and in some cases, terminated employees\n              accessed systems after their termination date; and\n         \xe2\x80\xa2    Certain human resources personnel had access to create and approve personnel action requests on their\n              own.\n\n\n\n176\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                        Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                              Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                              Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\n\n\xe2\x80\xa2 Configuration Management:\n\n    \xe2\x80\xa2   Technical security standards and policies need to be updated and implemented to include stronger logical\n        access security controls. Specifically, patches were not applied to systems in a timely manner;\n        unnecessary services were not disabled; and access to sensitive files, directories, or software was not\n        restricted;\n    \xe2\x80\xa2   Production servers were not configured in accordance with baseline configurations or to the most\n        appropriate settings;\n    \xe2\x80\xa2   Password settings do not comply with the Office of the Chief Information Officer Computer Security\n        Handbook; and\n    \xe2\x80\xa2   Inactive accounts were not disabled or deleted in a timely manner.\n\n\xe2\x80\xa2 Review of System Audit Logs:\n\n    \xe2\x80\xa2   Audit logs monitoring user and administrator activity, changes to security profiles, remote access logs,\n        access to sensitive directories, and failed login attempts are not reviewed, or documentation of audit log\n        reviews was not maintained;\n    \xe2\x80\xa2   Audit log review procedures were not documented and finalized;\n    \xe2\x80\xa2   Audit logs were not secured against editing by system administrators; and\n    \xe2\x80\xa2   Application-level audit logs (e.g., significant transactions and changes to sensitive tables) were not\n        proactively reviewed.\n\nThese findings are the result of weaknesses in the implementation and monitoring of Departmental processes and\nprocedures. Certain parts of management\xe2\x80\x99s OMB Circular No. A-123 IT testing were not completed in time for\nus to assess whether the process was adequate or addressed our recommendation. While the agencies closed 24\nprior year findings, they have not invested the necessary level of effort or properly allocate their resources to\nensure that policies are designed and operating effectively. These access control weaknesses could result in users\nwith inappropriate access to financial systems; inefficient processes; lack of completeness, accuracy, or integrity\nof financial data; and/or undetected unusual activity within financial systems.\n\nBased on these facts noted as part of our FY 2008 audit, we consider the recommendation related to testing key\nfinancial IT controls as part of the OMB Circular No. A-123 testing process resolved and open. However, we\nhave revised the status of the recommendation related to coordinating efforts among the DOL agencies to\ndevelop and/or enforce procedures and controls to address access control weaknesses in current financial\nmanagement systems from resolved and open to unresolved.\n\nManagement\xe2\x80\x99s Response: DOL maintains policies, procedures and standards for management, operational, and\ntechnical controls that collectively provide compound safeguards and redundant security measures to ensure the\nintegrity of DOL financial systems. Additionally, of the 44 open notifications of findings and recommendations\n(NOFRs) auditors issued to four DOL agencies in this draft audit report, none concluded that the cited weakness\nin agency-level access controls in and of itself amounted to a \xe2\x80\x9csignificant deficiency.\xe2\x80\x9d\n\nIn FY 2008, DOL Management continued to focus on aggressive remediation efforts resulting in substantial\nimprovements to the Department\xe2\x80\x99s overall IT control environment, resulting in closure of 24 prior year audit\nfindings. Additionally, the OCIO security monitoring program was enhanced to identify deficiencies requiring\nagency corrective action and target areas for additional oversight and monitoring.\n\nAlthough fully supportive of the need for continual improvement of IT controls, management maintains that the\ncontrols inherent to specific applications, as well as manual, and other compensating controls already in place,\n\n\n                                                                FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0177\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n    are sufficiently designed and effective to prevent or detect any unauthorized access to DOL financial systems. As\n    such, management believes that the likelihood of a misstatement of DOL\xe2\x80\x99s financial statement is remote.\n\n    In FY 2009, management plans to further strengthen its monitoring program by establishing a Department-wide\n    comprehensive strategy to address the identified conditions associated with access controls and configuration\n    management procedures and working directly with the agencies to implement the objectives and milestones for\n    this strategy (FY 2009 Q2). We will also complete quarterly security control testing to measure the effectiveness\n    of the agencies implementation of the access control and configuration management procedures (FY 2009 Q2 \xe2\x80\x93\n    Q4).\n\n    Further, the auditors have represented that a detailed report will be issued in December 2008 that will provide the\n    in-depth analysis performed in support of its conclusions. Management will be able to provide a more in-depth\n    response at that time.\n\n    Regarding A-123 related recommendation, the OMB Circular No. A-123 IT testing was performed on a timely\n    basis to meet all A-123 requirements, although certain of the testing may not have been completed on a\n    timeframe to enable KPMG to adequately review the work. For FY 2009, we will accelerate the A-123 testing.\n    Timing of the testing will depend on when the agency documentation is available, and as constrained by the\n    availability of funding due to the restrictions of the continuing resolution.\n\n    Auditor Response: The details of all our FY 2008 IT findings and recommendations were provided to DOL\n    management through the NOFR process. While we did not identify any individual finding as a significant\n    deficiency, we evaluated the combination of certain findings, in accordance with auditing standards generally\n    accepted in the United States of America, to conclude that a significant deficiency does exist. Although\n    management stated that they do not concur with our recommendations, they plan on taking steps to address them.\n    Therefore, these recommendations are considered resolved and open.\n\n2. Weakness Noted over Payroll Accounting\n\n    During FY 2006, the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of Chief Financial Officer\n    (OCFO)/National Finance Center (NFC) processed DOL\xe2\x80\x99s payroll. The Fiscal Year 2006 \xe2\x80\x93 Office of the Chief\n    Financial Officer/National Finance Center General Control Review dated September 21, 2006, and issued by the\n    USDA\xe2\x80\x99s Office of Inspector General (Report No. 11401-24-FM) reported a qualified opinion regarding the\n    effectiveness of NFC\xe2\x80\x99s internal controls for the period October 1, 2005, through June 30, 2006. During FY 2006,\n    DOL did not have policies and procedures in place to reconcile the payroll information it submitted to the NFC\n    to that received and processed by the NFC.\n\n    For each FY 2006 pay period, DOL submitted to the NFC payroll information that included all DOL employees\n    for the period, along with their hours worked, leave used, and other payroll related information for the period.\n    The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct\n    Register report for each DOL Human Resources office. We noted that DOL did not utilize these reports to\n    perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the\n    year to ensure that the information that was submitted to NFC via Time and Attendance records was reconciled\n    to what was shown as paid in the Detail Pay and Deduct Register.\n\n    We recommended that management develop and implement policies and procedures to reconcile payroll\n    information provided to the NFC to the payroll information processed by the NFC each pay period. These\n    reconciliations should be documented, reviewed, approved by an appropriate supervisor, and maintained.\n\n    During FY 2007, the NFC continued to process DOL\xe2\x80\x99s payroll. The Fiscal Year 2007 \xe2\x80\x93 Office of the Chief\n    Financial Officer/National Finance Center General Control Review dated September 27, 2007, and issued by the\n\n\n178\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                        Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                              Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                              Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\nUSDA\xe2\x80\x99s Office of Inspector General (Report No. 11401-26-FM) reported a qualified opinion regarding the\neffectiveness of NFC\xe2\x80\x99s internal controls for the period July 1, 2006, through June 30, 2007.\n\nAs part of DOL\xe2\x80\x99s corrective action plan for FY 2007, the OCFO\xe2\x80\x99s PeoplePower Task Force created a Time and\nAttendance Reconciliation Report based on the NFC\xe2\x80\x99s Detail Pay and Deduct Register to be used to reconcile\ninformation sent to NFC to that received and processed by NFC. In March 2007, the DOL OCFO issued policies\nand procedures that state that each DOL Human Resource office should review the Time and Attendance\nReconciliation Reports each pay period and research and resolve differences identified. No offices that we tested\ncomplied with the new OCFO procedures, but two offices that we tested performed their own reconciliation\nprocedures.\n\nDuring FY 2008, the OCFO issued revised policies and procedures dated October 23, 2007, requiring a review of\nthe Time and Attendance Reconciliation Reports, and implemented these policies and procedures. The OCFO\nalso performed monitoring department-wide to ensure that the reviews were completed, documented, and\napproved by an appropriate supervisor, and maintained. However, we noted that the reconciliation tested from\nthe Atlanta processing center did not contain a signature to validate the review. In addition, the Time and\nAttendance Reconciliation Reports do not contain a space for the date of the review; therefore, the timeliness of\nthe reconciliations and certifications was not verifiable.\n\nThe policies and procedures issued and the related reviews and audits appeared to reconcile and certify time and\nattendance records only. When we requested supporting documentation for the reviews of other NFC inputs and\noutputs (e.g., Gross Pay and Benefit Withholdings), we noted that the five agencies selected for testwork were\nable to provide the Detail Pay and Deduct Register report; however, the agencies could not provide evidence of\nreview or recalculations of payroll-related items other than time and attendance. Therefore, we can not conclude\nthat such reviews and recalculations were completed. The lack of compensating reconciliation controls around\nthe NFC compensation outputs increases the risk that payroll-related line items may be misstated due to errors in\npayroll processing by NFC.\n\nFederal agencies that use external service providers, such as the NFC, should have controls in place to ensure the\naccuracy of processing outputs. As stated by the USDA OIG in its FY 2008 Report No. 11401-28-FM, \xe2\x80\x9cThe\naccuracy and reliability of data processed by OCFO/NFC and the resultant reports rests with the customer agency\nand any compensating controls implemented by the agencies.\xe2\x80\x9d\n\nOMB Circular No. 123, Management\xe2\x80\x99s Responsibility for Internal Control, states, \xe2\x80\x9cApplication control should be\ndesigned to ensure that transactions are properly authorized and processed accurately and that the data is valid\nand complete. Controls should be established at an application\xe2\x80\x99s interfaces to verify inputs and outputs, such as\nedit checks.\xe2\x80\x9d\n\nAdditionally, per the Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment, \xe2\x80\x9cInternal control should generally be designed to assure that ongoing monitoring occurs in the\ncourse of normal operations. It is performed continually and is ingrained in the agency\xe2\x80\x99s operations. It includes\nregular management and supervisory activities, comparisons, reconciliations, and other actions people take in\nperforming their duties.\xe2\x80\x9d\n\nDOL\xe2\x80\x99s policies and procedures do not provide adequate guidance on the need for agencies to review payroll-\nrelated items other than time and attendance records. Therefore, even though the Detail Pay and Deduct Register\nreports are being generated, no requirement exists for agencies to review all payroll information in the reports. In\naddition, the OCFO does not have a process in place to monitor the completion of the reviews of payroll-related\nitems other than time and attendance.\n\nAs such, we consider the recommendation we made in FY 2006 as resolved and open. To close this\nrecommendation in the future, the DOL OCFO should (a) ensure that Human Resource offices are reconciling all\n\n\n                                                                FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0179\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n    payroll information, not only time and attendance records, provided to the NFC to the payroll information\n    processed by the NFC for each pay period, (b) ensure that these reconciliations are documented, reviewed, and\n    approved by an appropriate supervisor, and maintained, and (c) update DOL\xe2\x80\x99s current policies and procedures to\n    reflect these changes.\n\n    Management Response: The FY 2006 and FY 2007 audits focused on reconciliation of time and attendance.\n    Accordingly, management made considerable progress in this area by implementing and monitoring procedures\n    requiring reconciliation of time and attendance data. We also implemented improved procedures to reconcile\n    payroll data provided by NFC to that recorded in DOLAR$, another critical payroll reconciliation. The updated\n    finding for FY 2008 states that DOL does not review or recalculate other elements of pay, such as gross pay and\n    withholdings. However, while certain agencies may not have conducted such reviews, we found that major\n    agencies (such as ETA, ESA and BLS) are performing various analytical reviews to validate bi-weekly gross\n    payroll and use these procedures to detect variances from prior periods or from budgeted amounts. We also\n    understand that the ultimate check and balance on payroll are the employees themselves as every employee is\n    responsible for ensuring that all aspects of their salary and deductions are correct.\n\n    In FY 2009, the OCFO will work to enhance existing policy and procedures and analytical controls, and will\n    expand such controls throughout all DOL agencies. The OCFO will also implement procedures to verify and\n    recalculate a sample of payroll transactions recorded throughout the fiscal year, and will develop and utilize\n    change reports for purposes of identifying unusual fluctuations in payroll totals. These procedures will be\n    developed and implemented by March 31, 2009.\n\n    Auditor Response: DOL indicated above that several of its agencies are performing analytical reviews to validate\n    bi-weekly gross payroll; however, DOL did not provide us evidence of these activities during our FY 2008 audit\n    procedures. Although management stated that they do not completely concur with our recommendations, they\n    plan on taking steps to address them. Therefore, these recommendations are considered resolved and open.\n\n3. Lack of Segregation of Duties over Journal Entries\n\n    During the FY 2006 audit, we noted that accounting staff from all DOL agencies were able to prepare and enter\n    journal entries into the Department of Labor Accounting and Related Systems (DOLAR$) without approval.\n\n    We recommended that management reconfigure DOLAR$ so that journal entries entered into the DOLAR$\n    general ledger system and its successor system are required to be approved electronically by an individual other\n    than the preparer before posting. We also recommended that agencies implement manual compensating review\n    controls until system controls have been implemented.\n\n    During FY 2007, we found that management had not reconfigured DOLAR$ so that journal entries entered into it\n    are required to be approved electronically by an individual other than the preparer before posting because DOL\n    plans on implementing a new general ledger system by October 2009. In addition, although the OCFO had\n    developed department-wide manual policies and procedures designed to ensure the segregation of journal entry\n    preparation and approval authority, we noted that a number of journal entries did not have supporting\n    documentation evidencing management review and approval.\n\n    During the FY 2008 audit, we noted that management implemented new department-wide manual policies and\n    procedures designed to ensure the segregation of journal entry preparation and approval authority. However, we\n    noted that the OCFO did not provide documentation for 134 of 215 journal entries that we selected for review,\n    from the period October 1, 2007, to June 30, 2008, to support that these journal entries were reviewed by a\n    supervisor or someone other than the preparer before they were posted to DOLAR$. The OCFO considers 39 of\n    the 134 exceptions noted to be exempt from department-wide policies and procedures over manual journal\n    entries because they are generated by internally-developed programs, which are discussed below in more detail.\n\n\n180\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                        Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                              Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                              Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\nFurthermore, we noted that 8 journal entries were posted to DOLAR$ prior to review and approval as evidenced\nby the signatures on the cover sheets of the journal entries.\n\nWe also noted that certain transactions posted in DOLAR$ related to non-expenditure transfers erroneously\nimpact expended and unexpended appropriations balances. To ensure that these balances are correctly reported\nat fiscal year end, the OCFO uses an internally-developed program to generate a manual journal entry to reverse\nthe erroneous components of the transfer entries. However, OCFO staff did not update the program to capture\nand correct such errors made in FY 2008 transfer entries. As a result, the balances of expended appropriations\nand unexpended appropriations at fiscal year end were initially misstated by approximately $716 million, and the\nOCFO posted an auditor-proposed adjustment in November to correct the error. OCFO supervisors did not\nidentify this error since management consider the related journal entries to be part of an automated process that is\nnot subject to the department-wide policies and procedures that require manual journal entries to be reviewed by\na supervisor or someone other than the preparer before they are posted to DOLAR$.\n\nBy posting transactions without proper review and approval and allowing individuals the authority to prepare and\napprove their own transactions in DOLAR$, there is an increased risk that a material error would not be\nprevented or detected and corrected in a timely manner.\n\nIn addition, management represented that the new core financial management system, to be implemented in\nOctober 2009, will require electronic approval by someone other than the preparer before journal entries are\nposted. As a result, we were again informed that DOL does not plan to implement the recommendation to\nreconfigure DOLAR$ so that journal entries entered into DOLAR$ are approved electronically by an individual\nother than the preparer before posting.\n\nPer GAO\xe2\x80\x99s Standards of Internal Control in the Federal Government, \xe2\x80\x9cKey duties and responsibilities need to be\ndivided or segregated among different people to reduce the risk of error or fraud. This should include separating\nthe responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and\nhandling any related assets. No one individual should control all key aspects of a transaction or event.\xe2\x80\x9d\n\nSince management provided their timeframes to implement the new general ledger system that requires\nelectronic approval by someone other than the preparer before journal entries are posted, we consider the\ncorrective action recommendation we made in FY 2007 resolved and open. To close the recommendation,\nmanagement needs to ensure that the new core financial management system is configured, upon\nimplementation, so that journal entries entered into it are required to be approved electronically by an individual\nother than the preparer.\n\nBecause management does not monitor DOL employees\xe2\x80\x99 compliance with the OCFO policies and procedures in\nplace that require all journal entries to be properly prepared, supported, and approved before posting to DOLAR$\nand that proper segregation of duties is in place related to the preparation and posting of journal entries, we\nconsider the manual control recommendation made in FY 2006 as unresolved. To close this recommendation,\nmanagement should (a) monitor DOL employees\xe2\x80\x99 compliance with the department-wide policies and procedures\nin place for documenting the review of all journal entries prior to posting in DOLAR$, (b) update the\ndepartment-wide policies and procedures to require that manual journal entries generated by internally-developed\nprograms be reviewed and approved by a supervisor or someone other than the preparer before they are posted to\nDOLAR$, and (c) design and implement detective controls that require supervisors to periodically generate and\nreview activity reports that list all journal entries posted to DOLAR$. These controls should ensure that all\njournal entries that are posted are appropriate, supported, and documented.\n\nManagement Response: We analyzed the sample results cited in this finding, and found that not all transactions\nselected were manual entries subject to the standard, department-wide journal entry procedures referred to and\ntested by the auditors. In fact, a number of these transactions were recorded in DOLAR$ via an automated\n\n                                                                FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0181\xc2\xa0\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n    process, or were related to unique activities of DOL agencies, for which different procedures have been put into\n    place. In both scenarios, the auditors assumed that such transactions should have been documented and reviewed\n    similar to journal entries processed in accordance with the department-wide journal entry procedure.\n    Furthermore, we maintain that the internal control standards allow for different types of controls, both preventive\n    and detective in nature, which may be used to perform the authorization, recording, and review of transactions,\n    and the segregation of duties among these functions. Certain transactions were included as exceptions simply\n    because the review function was performed as a separate process after the transaction was recorded in DOLAR$,\n    rather than simultaneous with posting.\n\n    We do not agree with the auditor\xe2\x80\x99s statement that "management does not monitor DOL\'s compliance with\n    policies and procedures\xe2\x80\x9d. We believe that there is disagreement with what transactions are subject to these\n    requirements. That said, we will look to clarifying which transactions are subject to preventive and/or detective\n    controls and update the policies accordingly. Knowing that DOL plans to implement the new core financial\n    system in FY 2010, we will not consider reconfiguring DOLAR$ at this point in its lifespan. However, the\n    OCFO will issue written guidelines and minimum requirements for documenting the authorization, recording and\n    review functions for transactions posted outside of the automated interfaces, and for the segregation of duties\n    among these functions. The OCFO will periodically monitor compliance with existing policies and procedures\n    by testing samples of transactions posted throughout the fiscal year. Our assessment and written procedures will\n    be completed by March 31, 2009, and sampling will begin thereafter.\n\n    Auditor Response: We believe that the results of our audit procedures and the misstatement identified support\n    our conclusion that a significant deficiency exists in this area. Although management stated that they do not\n    completely concur with our recommendations, they plan on taking steps to address them. Therefore, these\n    recommendations are considered resolved and open.\n\n\n\n\n182\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                         Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                      \xc2\xa0\n                                                                                                 Compliance\xc2\xa0Matters\xc2\xa0\n                                                                                                            Exhibit\xc2\xa0II\xc2\xa0\n                                                                                                                      \xc2\xa0\n                                                                                                                      \xc2\xa0\n1. Anti-deficiency Act\n\n   During FY 2008, DOL management concluded that an Anti-deficiency Act violation had occurred. The total\n   amount of the violation was $39,450,476. The Secretary of Labor has reported the violation to the President of\n   the United States, the President of the Senate, the Speaker of the House of Representatives, and the Comptroller\n   General of the United States, as required by 31 U.S.C. section 1351.\n\n   The violation occurred in the Employment and Training Administration Community Service Employment for\n   Older Americans account (160175) in connection with the Senior Community Service Employment Program in\n   each of fiscal years 2003 through 2008, covering appropriations enacted for FY 2001 through FY 2005. These\n   violations relate to the reobligation of expired funds for FY 2001 through FY 2005, beyond the period allowed\n   for new obligations, as established in DOL\xe2\x80\x99s annual appropriation for this program.\n\n\n\n\n                                                                 FY\xc2\xa02008\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0183\xc2\xa0\n\x0c'